-
-
Notifications
You must be signed in to change notification settings - Fork 2
133 lines (109 loc) · 3.78 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
name: Terraform Enforcement
on:
push:
branches:
- main
paths:
- terraform/**
pull_request:
branches:
- main
paths:
- terraform/**
# Allows for running this workflow manually from the GitHub Actions UI
workflow_dispatch:
permissions:
contents: read
id-token: write
pull-requests: write
jobs:
terraform_enforcement:
runs-on: ubuntu-latest
strategy:
matrix:
terraform_module: [aws, github]
defaults:
run:
shell: bash
working-directory: terraform/${{ matrix.terraform_module }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.DEFAULT_AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Terraform Validate
id: validate
run: terraform validate
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform plan -no-color -input=false
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
continue-on-error: true
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
TERRAFORM_MODULE: ${{ matrix.terraform_module }}
with:
script: |
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment =>
comment.user.type === 'Bot' &&
comment.body.includes('Terraform Enforcement Summary (${{ env.TERRAFORM_MODULE }})')
)
const output = `## Terraform Enforcement Summary (${{ env.TERRAFORM_MODULE }})
#### Terraform Format and Style: 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization: ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation: 🤖\`${{ steps.validate.outcome }}\`
#### Terraform Plan: 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.TERRAFORM_MODULE }}\`, Workflow: \`${{ github.workflow }}\`*`;
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
run: terraform apply -auto-approve -input=false